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MEMORANDUM FOR. Charles E. Allen 

Under Secretary for Intelligence & Analysis 
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&€****^ 

FROM: Richard L. Skinner 

Inspector General 

SUBJECT: National Applications Office Privacy Stewardship 

We reviewed the Department of Homeland Security (DHS) National Applications Office 
(NAO) privacy stewardship to determine whether NAO's plans and activities instill and 
promote a privacy culture and are in compliance with privacy regulations. Privacy 
stewardship includes establishing privacy requirements prior to program initiation, 
privacy risk assessment and mitigation, and privacy integration in the program operation. 

Generally, NAO is making good progress in developing an effective privacy program for 
its operations. Specifically, NAO involved the DHS Privacy Office early in program 
planning and development of key organizational documents. Also, NAO acknowledges 
privacy requirements and states a commitment to privacy in its Charter. By doing so, 
NAO signaled its intent to incorporate accepted privacy principles in its policies and 
operating procedures. We identified several elements that serve as a framework for 
NAO's privacy stewardship. These include ongoing privacy oversight by departmental 
privacy and civil liberties officers, public notice of system of records, training of NAO 
personnel, and approved risk assessments. However, a revised Privacy Impact 
Assessment and a Civil Liberties Impact Assessment reflecting changes in the Charter are 
still necessary prior to NAO becoming operational. 

We recommend the Under Secretary for Intelligence & Analysis direct the Director of 
NAO to obtain approval by the DHS Privacy Office of an updated program Privacy 
Impact Assessment reflecting a signed Charter and standard operating procedures and 
approval by the DHS Office for Civil Rights and Civil Liberties ofNAO's Civil Liberties 
Impact Assessment. 




National Applications Office Privacy Stewardship 



Background 



NAO will perform a centralized role to facilitate access to and proper use of various 
intelligence community disciplines and capabilities 



Within legal boundaries, 
NAO will share intelligence for domestic scientific, geographic, or environmental 
research; homeland security; preparation, response, and mitigation of disasters; terrorism 
response and mitigation; border protection; and criminal and civil law enforcement. 

The Director of National Intelligence formed a planning team for NAO in September 
2006 and designated the DHS Secretary as Executive Agent of NAO in June 2007. By 
August 2007, the DHS Secretary delegated management authority to the Office of 
Intelligence & Analysis, which together with NAO, issued a Concept of Operations. 
DHS intended for NAO to be operational by October 2007. Figure 1, Timeline of Key 
Activities, indicates NAO's developmental activities and initial privacy stewardship 
activities from September 2005 to December 2007. 



Figure 1: Timeline of Key Activities 
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Results of Review 



Framework for Privacy Stewardship is Ready for Implementation 

In September 2007, NAO sought agreement from partner Departments to finalize its 
Charter. 2 NAO involved the Office of the Director of National Intelligence Civil 
Liberties Protection Office, and the DHS Office of Policy, Privacy Office, and Office for 
Civil Rights and Civil Liberties to ensure that the Charter adequately addresses DHS 
policies and privacy and civil liberties safeguards. Additionally, NAO added other key 
elements in developing its framework for privacy stewardship and implementing active 
monitoring of privacy compliance. 

The elements supporting privacy stewardship include: Charter and standard operating 
procedures, ongoing guidance from DHS and the Office of the Director of National 
Intelligence, privacy and civil liberties training, and public notice of a system of records. 
The left column of Figure 2, Framework for Privacy Stewardship, shows what elements 
are needed as the foundation for NAO's framework. The second column identifies what 
NAO is addressing to comply with the legal requirements. In the third column, 
comments describe the status or a check (✓) indicates completion. The last column 
indicates the legal requirement or enabling legislation for oversight groups. 



Figure 2: Framework for Privacy Stewardship 



Elements that are Needed 


What NAO is Address 




Status 


Requirement 


1 ) Legal framework that complies 
with existing laws, including all 
applicable privacy standards 


Charter and standard operating 
procedures 


Pending 
signatory 
concurrence 


Consolidated 
Appropriations 
Act, 2008, H.R. 
2764 §525 


2) External oversight and 
monitoring 


Ongoing guidance and 
monitoring from DHS Privacy 
Office, DHS Office for Civil 
Rights and Civil Liberties, and 
Office of the Director of National 
Intelligence Civil Liberties 
Protection Officer 

Ongoing guidance from DHS 
Office of Policy, Office of 
General Counsel 




6 USC §142 (DHS 
Privacy Officer) 
and §345 (Officer 
for Civil Rights and 
Civil Liberties); 
Intelligence 
Reform and 
Terrorism 
Prevention Act of 
2004, P.L. 108- 
458, §103D;50 
USC 403-1 (ODNI 
Civil Liberties 
Protection Officer) 



Data as of February 26, 2008 



2 The draft NAO Charter identifies Departments of Homeland Security, Interior, Justice, and Defense, and 
the Office of the Director of National Intelligence as its signatories. 
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The first element of privacy stewardship is a legal framework that includes a Charter and 
standard operating procedures. The Charter ensures NAO's compliance with all laws, 
policies and procedures that protect privacy, civil rights, and civil liberties. 
The Charter is a binding agreement among the signatories that describes NAO's mission, 
infrastructure for operational oversight, and roles and responsibilities of stakeholders, 
partners, and customers. Both the Charter and standard operating procedures further 
define partner and customer interactions because NAO will work with members of the 
intelligence community and users outside the intelligence community to support civil, 
homeland security, and law enforcement applications. These procedures embed privacy 
protections into NAO's daily operations, such as 



The second element supporting NAO's privacy stewardship is external oversight and 
monitoring. The DHS Privacy Office, DHS Office for Civil Rights and Civil Liberties, 
and Office of the Director National Intelligence-Civil Liberties Protection Office provide 
guidance and monitoring to ensure compliance with privacy and civil liberties 
protections. The DHS Offices of Policy and General Counsel provide external oversight 
concerning policy and legal matters. The National Applications Executive Committee is 
the oversight body for NAO. The three Committee chairs, the Deputy Secretary of DHS, 
the Deputy Secretary of the Interior, and the Principal Deputy Director of National 
Intelligence will be aided in their oversight roles by their privacy, civil liberties, and civil 
rights advisors. 



Figure 2: Framework for Privacy Stewardship (continued) 



Elements that are Needed 


What NAO is Address 






Requirement 


3) Training in privacy awareness 
and privacy and civil liberties in 
intelligence activities 


Privacy Awareness and 
intelligence activity training for 
personnel including rules, 
requirements, and penalties for 
violations 




Privacy Act of 
1974, as 

amended, 5 USC 
§552a (e)(9) 




Customer training 




Planned 




4) Published Notice of System of 
Records 


System of Records Notice 
covered by Homeland Security 
Operations Center 




Privacy Act of 
1974, as 

amended, 5 USC 
§552a (e)(4) 



Data as of February 26, 2008 
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The third element in NAO's framework for privacy stewardship is training on privacy 
awareness and intelligence oversight activity. 3 As it becomes operational, NAO is 
responsible for properly administering privacy safeguards for the public and the 
intelligence community. To comply with the Privacy Act of 1974, as amended, NAO 
must ensure all personnel including customers are properly trained and aware of potential 
privacy issues and safeguards. 4 In September 2007, NAO complied with the Act's 
requirements by providing privacy training, which included rules of conduct and 
consequences for privacy noncompliance. 

To comply with its draft Charter, NAO must train personnel on the proper conduct of 
intelligence oversight. The DHS Office of General Counsel provided this training to 
NAO personnel in September 2007. As part of NAO's new employee orientation and 
ongoing training programs, personnel will complete both privacy awareness and 
intelligence oversight activity training. NAO also plans to develop specific privacy 
training and guidance for its nontraditional customers and applications. 

The fourth element of the privacy stewardship framework is a public notice of NAO's 
system of records. A system of records is a group of records under the control of an 
agency from which information is retrieved by the individual's name or some other 
identifier assigned to the individual. The Privacy Act of 1974, as amended, 5 USC 552a 
(e)(4), requires each agency to publish a System of Records Notice (SORN) in the 
Federal Register describing the purpose of the system, the types of information contained 
therein, and details for individuals to gain access to information relevant to the individual 
stored in the system. NAO's proposed system of records is covered under the SORN for 
the Homeland Security Operations Center, 70 F.R. 20061 (April 18, 2005). As NAO 
develops its products and services, it will need to review its activities to ensure that any 
new information that it collects and maintains is appropriately described by the SORN. 

NAO Risk Assessments are Being Finalized 

Two different types of risk assessments on NAO's program and its information need to 
be completed. Through a Privacy Impact Assessment, the DHS Privacy Office evaluates 
possible privacy risks and discusses the mitigation of those risks at the beginning and 
throughout the development life cycle of a program that handles personal data. Through a 
Civil Liberties Impact Assessment, the DHS Office for Civil Rights and Civil Liberties 
will ensure that the domestic use of intelligence capabilities and products complies with 
constitutional, statutory, regulatory, policy, and other requirements relating to the civil 
rights and civil liberties of individuals affected. 



3 NAO requires training regarding Executive Order 12333 United States Intelligence Activities for personnel 
so its intelligence activities are conducted in a manner that protects the Constitutional rights and privacy of 
U.S. persons. 

4 The Privacy Act of 1974, as amended, provides protections and handling requirements for records 
containing information about individuals that are collected and maintained by the federal government and are 
retrieved by a personal identifier. 
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The left column of Figure 3, NAO Risk Assessments, indicates that two different types of 
risk assessments are needed. The second column indicates the areas of risk that NAO is 
reviewing. In the third column, comments describe the status or a check (V) indicates 
completion. The last column lists the requirements for privacy assessments and for the 
review of civil rights and civil liberties protections in NAO activities. 



Figure 3: NAO Risk Assessments 



What Assessments Are Needed What NAO is Revie 




1) Approved Privacy Impact 
Assessments 


Privacy risks 

a) Program 

b) Program revisions 
resulting from updated 
Charter and standard 
operating procedures, 
including customer/ 
partner processes 


Planned 


E-Government Act 
of 2002, P.L. 107- 
347, §208 (b) 


2) Approved Civil Liberties Impact 
Assessment 


Civil liberties risks 


Pending 
approval 


6 USC §345 
(Officer for Civil 
Rights and Civil 
Liberties) 



Data as of February 26, 2008 



The first type of assessment, a Privacy Impact Assessment, is required by section 208 of 
the E-Government Act of 2002. In June 2007, NAO submitted a completed Privacy 
Impact Assessment to the DHS Privacy Office. This assessment described how NAO 
would comply with the Privacy Act of 1974, as amended. However, NAO's initial 
program plans will change because it is still finalizing its Charter, standard operating 
procedures, and customer partner processes to gain concurrence by stakeholders and 
partners. Therefore, NAO plans to update its initial Privacy Impact Assessment to reflect 
those changes. 

The second type of assessment, Civil Liberties Impact Assessment, is the approach that 
DHS Office for Civil Rights and Civil Liberties is using to satisfy its assessment 
requirements under the Implementing Recommendations of the 9/11 Commission Act of 
2007 (Pub. L. 1 10-53). The Office for Civil Rights and Civil Liberties is finalizing this 
assessment to ensure that civil liberties are not diminished by programs aimed at securing 
the homeland. 



The organizational framework for NAO is still under development and waiting for final 
approval. NAO is a complex organization involving many stakeholders, partners and 
constituents. All of these groups have different concerns and priorities. The Charter, 
privacy and civil liberties risk assessments, and other key documents create a 
framework that shows how NAO will be capable of accomplishing an important mission 
that supports existing privacy laws and policies. However, for a framework of privacy 
stewardship to be realized, risk assessments must be based upon NAO's preliminary 
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activities to instill a culture of privacy and the standard operating procedures and the 
finalized Charter. 

Recommendations 

We recommend that the Under Secretary for Intelligence & Analysis direct the Director 
ofNAOto: 

Recommendation #1 : Obtain approval by the DHS Privacy Office of an updated 
program Privacy Impact Assessment reflecting a signed Charter and standard 
operating procedures. 

Recommendation #2 : Obtain approved NAO's Civil Liberties Impact 
Assessment by the DHS Office for Civil Rights and Civil Liberties. 

Management Comments and OIG Analysis 

We obtained written comments on a draft of this report from the Under Secretary for 
Intelligence & Analysis. We reviewed the Under Secretary's suggestions and made 
changes where appropriate. We have included a copy of the comments in Appendix A. 

The Under Secretary for Intelligence & Analysis concurred with our findings and 
recommendations. We consider our recommendations resolved, but open pending our 
review of actions taken by NAO. 

The review is based on analysis of applicable documentation and interviews with 
personnel and officials of relevant agencies and institutions. We conducted our audit 
from October 19, 2007 to February 29, 2008 under the authority of the Inspector General 
Act of 1978, as amended, and according to generally accepted government audit 
standards. 
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Appendix A 

Management Comments 



U.S. [>t|mr|mcrti flf Homeland .Necuriiy 

Washington, IX: 20528 

^Bftt Homeland 
Ww Security 

April L2G08 

MEMORANDUM FOR: Richard Skinner 
Inspector General 

I ROM: Charles E. Allcn^^^Jl^^^i^Z--^ 

Under Secretary for Intelligence and Analysis 

SUBJECT: Response to Draft Letter Report National Applications 

Office Privacy Stewardship 



1 have reviewed your draft report, National Applications Office Privacy 
Stewardship, and appreciate your candid review of this new program, which will become 
an important mission of the Department. 1 have endorsed the two recommendations 
made in your draft report and am pleased to reporl that the NAO staff has already taken 
action on both recommendations, 

* On Recommendation I, the DHS Office of Privacy completed an updated 
program Privacy Impact Assessment on March 1 1 , 2008. 

• On Recommendation 2, the DHS Officer for Civil Rights and Civil 
Liberties completed a Civil Liberties Impact Assessment on March 5, 
2008. 

Because action on the two recommendations has now been completed, 1 suggest that they 
not be included in your final report. 

Finally, your report noted the need for a signed charter. Again, I am pleased to 
report that the NAO charter was signed by DHS. DOD, DOL DN1, and DOJ on February 
29, 2008. Copies of the signed charter, Privacy Impact Statement. Civil Liberties Impact 
Statement, and three key NAO Standard Operating Procedures have been provided to 
your Office- In addition to the comments above, my staff has separately provided some 
minor technical edits for your consideration. 

I am personally grateful to you and your stall for the very professional manner in 
which you and your officers have handled this review. As you can see, privacy, civil 
rights, and civil liberties have been a central consideration throughout the development of 
the NAO. 
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Appendix B 

Major Contributors to this Report 

Special Projects Division 

Marj Learning, Director 

R. Steve Durst, Audit Manager 

Michael Galang, Management and Program Analyst 

Kyle Peterson, Management and Program Assistant 

Gretchen Trygstad, Management and Program Assistant 

Anthony Nicholson, Referencer 
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Appendix C 

Report Distribution 

Department of Homeland Security 

Secretary 
Deputy Secretary 
Chief of Staff 
Deputy Chief of Staff 
General Counsel 
Executive Secretary 

Under Secretary for Intelligence and Analysis 

Deputy Assistant Secretary, Mission Integration 

Assistant Secretary for Policy 

Assistant Secretary for Public Affairs 

Assistant Secretary for Legislative Affairs 

Acting Director, National Applications Office 

Director, GAO/OIG Liaison Office 

Office of Intelligence & Analysis Audit Liaison 

Chief Privacy Officer 

Officer for Civil Rights and Civil Liberties 

Office of Management and Budget 

Chief, Homeland Security Branch 
DHS OIG Budget Examiner 

Congress 

Congressional Oversight and Appropriations Committees, as appropriate 
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Additional Information and Copies 

To obtain additional copies of this report, call the Office of Inspector General 
(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web 
site at www.dhs.gov/oig. 



OIG Hotline 

To report alleged fraud, waste, abuse or mismanagement, or any other kind of 
criminal or noncriminal misconduct relative to department programs or 
operations: 

• Call our Hotline at 1-800-323-8603; 

• Fax the complaint directly to us at (202) 254-4292; 

• Email us at DHSOIGHOTLINE@dhs.gov; or 

• Write to us at: 

DHS Office of Inspector General/MAIL STOP 2600, Attention: 
Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410, 
Washington, DC 20528. 

The OIG seeks to protect the identity of each writer and caller. 



